Merge branch 'feature/events-option' of https://github.com/michaelrhodes/github-webhook-handler into michaelrhodes-feature/events-option

rvagg · rvagg · commit baf85dc17e2e · 2016-07-13T21:26:46.000+10:00
diff --git a/README.md b/README.md
@@ -46,6 +46,7 @@ github-webhook-handler exports a single function, use this function to *create*
 
  * `"path"`: the complete case sensitive path/route to match when looking at `req.url` for incoming requests. Any request not matching this path will cause the callback function to the handler to be called (sometimes called the `next` handler).
  * `"secret"`: this is a hash key used for creating the SHA-1 HMAC signature of the JSON blob sent by GitHub. You should register the same secret key with GitHub. Any request not delivering a `X-Hub-Signature` that matches the signature generated using this key against the blob will be rejected and cause an `'error'` event (also the callback will be called with an `Error` object).
+ * `"events"`: an optional array of whitelisted event types (see: *events.json*). If defined, any incoming request whose `X-Github-Event` can't be found in the whitelist will be rejected. If only a single event type is acceptable, this option can also be a string.
 
 The resulting **handler** function acts like a common "middleware" handler that you can insert into a processing chain. It takes `request`, `response`, and `callback` arguments. The `callback` is not called if the request is successfully handled, otherwise it is called either with an `Error` or no arguments.
 
diff --git a/github-webhook-handler.js b/github-webhook-handler.js
@@ -20,6 +20,14 @@ function create (options) {
   if (typeof options.secret != 'string')
     throw new TypeError('must provide a \'secret\' option')
 
+  var events
+
+  if (typeof options.events == 'string' && options.events != '*')
+    events = [ options.events ]
+
+  else if (Array.isArray(options.events) && options.events.indexOf('*') == -1)
+    events = options.events
+
   // make it an EventEmitter, sort of
   handler.__proto__ = EventEmitter.prototype
   EventEmitter.call(handler)
@@ -54,6 +62,9 @@ function create (options) {
     if (!id)
       return hasError('No X-Github-Delivery found on request')
 
+    if (events && events.indexOf(event) == -1)
+      return hasError('X-Github-Event is not acceptable')
+
     req.pipe(bl(function (err, data) {
       if (err) {
         return hasError(err.message)
diff --git a/package.json b/package.json
@@ -21,6 +21,7 @@
     "buffer-equal-constant-time": "~1.0.1"
   },
   "devDependencies": {
+    "run-series": "~1.0.2",
     "tape": "~4.6.0",
     "through2": "~2.0.1"
   }
diff --git a/test.js b/test.js
@@ -2,6 +2,7 @@ const test     = require('tape')
     , crypto   = require('crypto')
     , handler  = require('./')
     , through2 = require('through2')
+    , series   = require('run-series')
 
 
 function signBlob (key, blob) {
@@ -96,6 +97,65 @@ test('handler accepts valid urls', function (t) {
 })
 
 
+test('handler can reject events', function (t) {
+  var acceptableEvents   = {
+          'undefined'                     : undefined
+        , 'a string equal to the event'   : 'bogus'
+        , 'a string equal to *'           : '*'
+        , 'an array containing the event' : ['bogus']
+        , 'an array containing *'         : ['not-bogus', '*']
+      }
+    , unacceptableEvents = {
+          'a string not equal to the event or *'   : 'not-bogus'
+        , 'an array not containing the event or *' : ['not-bogus']
+      }
+    , acceptable         = Object.keys(acceptableEvents)
+    , unacceptable       = Object.keys(unacceptableEvents)
+    , acceptableTests    = acceptable.map(function (events) {
+        return acceptableReq.bind(null, events)
+      })
+    , unacceptableTests  = unacceptable.map(function (events) {
+        return unacceptableReq.bind(null, events)
+      })
+
+  t.plan(acceptable.length + unacceptable.length)
+  series(acceptableTests.concat(unacceptableTests))
+
+  function acceptableReq (events, callback) {
+    var h = handler({
+        path    : '/some/url'
+      , secret  : 'bogus'
+      , events  : acceptableEvents[events]
+    })
+
+    h(mkReq('/some/url'), mkRes(), function (err) {
+      t.error(err)
+      t.fail(false, 'should not call')
+    })
+
+    setTimeout(function () {
+      t.ok(true, 'accepted because options.events was ' + events)
+      callback()
+    })
+  }
+
+  function unacceptableReq (events, callback) {
+    var h = handler({
+        path    : '/some/url'
+      , secret  : 'bogus'
+      , events  : unacceptableEvents[events]
+    })
+
+    h.on('error', function () {})
+
+    h(mkReq('/some/url'), mkRes(), function (err) {
+      t.ok(err, 'rejected because options.events was ' + events)
+      callback()
+    })
+  }
+})
+
+
 // because we don't inherit in a traditional way
 test('handler is an EventEmitter', function (t) {
   t.plan(5)

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@`
`21`	`21`	`"buffer-equal-constant-time": "~1.0.1"`
`22`	`22`	`},`
`23`	`23`	`"devDependencies": {`
	`24`	`+ "run-series": "~1.0.2",`
`24`	`25`	`"tape": "~4.6.0",`
`25`	`26`	`"through2": "~2.0.1"`
`26`	`27`	`}`